Open holyjak opened 4 years ago
PS: I got the tunnel working under vagrant (used a more complete ubuntu system)
I'm afraid ssm-tunnel
needs too many privileges to run in Docker. It creates network devices, configures system routing, and calls external Linux commands for it.
You can run it in VirtualBox for sure as that provides a complete system, but Docker? I don't think so. Sorry.
Ok, thank you.
On Mon, 3 Feb 2020, 01:06 Michael Ludvig, notifications@github.com wrote:
Closed #5 https://github.com/mludvig/aws-ssm-tools/issues/5.
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/mludvig/aws-ssm-tools/issues/5?email_source=notifications&email_token=AAEYSPTTKK46L23564WLSNTRA5NY7A5CNFSM4JYIOKWKYY3PNVWWK3TUL52HS4DFWZEXG43VMVCXMZLOORHG65DJMZUWGYLUNFXW5KTDN5WW2ZLOORPWSZGOWLLKRBY#event-3000412295, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAEYSPSGVQZHJ6WXIZRJWCTRA5NY7ANCNFSM4JYIOKWA .
@mludvig as far as my understanding goes, a docker container should be roughly equivalent to a normal linux box. What would I be missing here that it wouldnt be possible inside a docker container?
Currently trying to get ssm-tunnel to work for macos users, which will not be possible as far as I understand, unless we can utilize docker?
@lostdesign ssm-tunnel
needs to manipulate the network stack - create network interface, set up routes, optionally change DNS settings. This is not possible for a process contained in a docker container as far as I can tell. The reason is that docker container doesn't "own" the kernel, it's only given some resources to work with but can't request to create others.
Prove me wrong, I'd be very happy to provide an easy way to run ssm-tunnel
on Mac. But as I understand it docker won't help here.
Use VirtualBox - that's a complete Linux system with its own kernel where ssm-tunnel
can do all it needs to do.
Or use ssm-ssh
with port forwarding, e.g. this to access your MySQL RDS
ssm-ssh ec2-user@{some-instance} -L 3306:{mysql-rds-ip}:3306
All ssh
port forwarding options are supported: -L
, -R
, -D
, etc.
@mludvig my guess was that you could pass the host's TUN device into the container and do the changes there? Aka using that device and bridging the containers network with the host's. These are just rough speculations, haven't gotten further into it, maybe i am completely off here. I'll research a bit further in that regard and come back with solutions (https://www.reddit.com/r/docker/comments/4cw758/accessing_tuntap_device_inside_of_a_docker/).
SSH isn't an option for us as every resource we need to access (DB, Kafka) are private, so using ssm-tunnel
would be the only chance on mac os, either inside docker or a vm.
But thanks for your quick reply, much appreciated!
Alright, I managed to get it to work inside a docker container, the only part that is necessary, is sharing /dev
or just /dev/net/tun
into the container with privileged access.
Which would look like docker run ... --cap--add=NET_ADMIN --device /dev/net/tun:/dev/net/tun ...
Here is an example Dockerfile, which we used to make it work. We also used SSH to connect any SQL Tool into the container which has the tunnel in order to access the AWS Resources.
FROM amazonlinux
LABEL maintainer="..."
LABEL version="0.1"
LABEL description="SSM Tunnel container for AWS Bastion Stations in MacOS/ Windows"
ENTRYPOINT ["/root/entrypoint.sh"]
EXPOSE 22
RUN install -d /root/.ssh -m 0700
# Install dependencies
RUN yum check-update && yum update -y \
&& yum install sudo jq curl unzip python3-pip net-tools iproute telnet openssh-server openssh-clients -y
RUN sed -i s/PermitRootLogin.*/PermitRootLogin\ yes/ /etc/ssh/sshd_config \
&& sed -i s/PasswordAuthentication.*/PasswordAuthentication\ yes/ /etc/ssh/sshd_config \
&& sed -i s/#PermitUserEnvironment.*/PermitUserEnvironment\ yes/ /etc/ssh/sshd_config
COPY entrypoint.sh /root/entrypoint.sh
COPY environment /root/.ssh/environment
COPY sshconfig /root/.ssh/config
# Install AWS Cli v2.0, Session Manager Plugin and AWS SSM Tools
RUN curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip" \
&& curl "https://s3.amazonaws.com/session-manager-downloads/plugin/latest/linux_64bit/session-manager-plugin.rpm" -o "session-manager-plugin.rpm" \
&& unzip awscliv2.zip \
&& ./aws/install \
&& yum install -y session-manager-plugin.rpm \
&& pip3 install aws-ssm-tools \
&& aws --version \
&& session-manager-plugin --version
# Copy AWS local assets
COPY .aws /root/.aws
COPY tunneldb.sh /root/
# Internal tunnel script
RUN chmod +x /root/tunneldb.sh
RUN chmod +x /root/entrypoint.sh
WORKDIR /root
This defo needs some cleaning, but it should be good enough to give a starting point for this. If there is any further interest, I wouldn't mind putting up a Demo Repo without our internal tunnel shell script.
tldr: Create a Docker image with the required dependencies, share TUN device into container with privileged access. Hope I could help @mludvig @holyjak
That’s great, thanks for looking at it. If you want to raise a PR with a (tidy) Dockerfile
and a small README-docker.md
with example usage I can merge it.
You can assign the issue to me. Will open a PR tomorrow morning 👌
This is still on my todo. Scheduled for this week :D Haven't forgotten about it.
@lostdesign Any update on what your entrypoint.sh looks like trying to setup the same thing on my mac.. container get connectivity fine just now trying to bridge it.
Ended up making my own solution for the mac.. still a work in progress but gets the job done on macos. ssm-tunneler
Utilizes sshuttle to ssh tunnel into a docker container that is ssm-tunneled into my aws host meaning no port 22 open in aws.
uses some bash magic to do what this utility does but with a mac. Windows powershell native coming soon
It would be awesome to be able to run ssm-tools in a docker image for us on OSX and those that prefer to keep tools off their system. This is what I tried, and it runs
ssm-session
:however
ssm-tunnel <instance>
fails without any clear indication of why: